Where do I start in business continuity?
   
Ian Masters explores the specific data protection issues faced by small and medium sized enterprises.
 

Taking the first few steps towards a business continuity management approach can seem a very daunting task. Ian Dunlop provides some useful advice.

Picture the situation, you have just been landed the job of ensuring your organisation has ‘business continuity’. However, you don’t know the first place to start – what to do, who to ask, and most importantly, how to go about it.

While it is tempting to bury your head in the sand, it is important not to, as every organisation, no matter what it’s size, needs to have some form of a business continuity plan in place – especially with the increasing requirements by direct or indirect regulation. It may well form part of the company’s overall risk management approach, or a realisation that having an IT focussed disaster recovery plan only covers one aspect of business continuity. One thing is for sure, taking the first few steps towards a business continuity management approach can seem a very daunting task indeed.

Some organisations manage to formulate ‘own grown’ approaches, ranging from gleaning information from the Internet to asking what friends in other organisations have done. However, with limited resources, and more importantly, limited time to create what seems like the impossible, using external experienced consultants is a way to help you to put together plans and processes in a realistic timescale and to a satisfactory level.

No matter what business continuity approach you decide on, there are certain steps you can take to help to kick start the process, and make sure that it becomes part of an organisation’s culture. The following list is intended to give a high level guided approach that will at least start to build the solid foundation for an effective business continuity management (BCM) process:
   

It is essential to ensure that there is senior management support and sponsorship before starting a business continuity plan and it is important to get it on the board's agenda – and to keep it there. In order to ensure the process does not stall, the full support of the most senior committee of an organisation is needed. One committee member needs to be the overall sponsor, along with a clearly identified position for the initial project management, as well as the ongoing drive and day-to-day management. In addition, to keep dialogue about the issues at the forefront, it is important to ensure that there is an agenda item relating to business continuity at all meetings and also as part of the overall risk managements quarterly reports. It is also important to agree and publish the organisational structure that will apply when an incident occurs and this should clearly indicate the command and communication structure. It is worth remembering, in an abnormal situation, normal democracy does not always apply.
   
The motives for business continuity management within the organisation need to be clearly defined. These can vary from industry regulation to pressure from suppliers or more importantly, good risk management as required by corporate governance codes. Consider the risks for not having a formalised business continuity plan e.g. fines from regulators, customers withdrawing orders and so on. As with all processes, a balance needs to be achieved between what is acceptable and cost effective and the overall organisational overheads associated with any new or additional processes, especially from the ongoing perspectives.
   

Ownership must be from the business perspective, not only IT – and it must remain there. In many organisations, business continuity management is seen purely as an extension of the IT departments’ disaster recovery process, and in many people’s eyes it still is an IT process. However, business continuity management, as the name suggests, is a management process for the business, of which IT disaster recovery is part of that process. It must therefore be owned by the business and although the actual work and management can be delegated, the authority and ownership cannot.
   

Business continuity management is not just about creating a plan - progression and ownership should continue after the initial planning stage. Equally, business continuity management should not be seen as just ticking boxes, instead it must form part of the whole culture of an organisation. The perception of business continuity management is often ‘all I have to do is create a plan’ with lots of information and what appear to be reasonably valid action points, with little thought as to how it can be seen through should disaster confrontation occur. But there in lies the problem; how do you obtain the information, how valid is it, would the action points really work, and so on. The correct approaches must be followed, e.g. board ownership and sponsorship, business impact analysis, risk assessment, agreed strategy and so on. The result will be a living and breathing process, with regular reviews and effective change and version control.
   

It is important to identify:

  • what are the critical processes you need to recover,

  • within what minimum timeframes will recovery be required,

  • what resources will be needed to implement business continuity measures.
   

You must identify how long you can survive before the organisation needs to be back to normal operations - this is largely from a financial perspective. The board (or equivalent) will need to review and ratify what is acceptable to the organisation as a whole once all the information is made available – and only they can make those decisions.
   
Look at what you may have already in respect of alternative arrangements e.g.;
 

  • Dual site IT;
  • Maintenance contracts;
  • Other 3rd party arrangements;
  • Manual workarounds;
  • Other alternative working arrangements.
Sometimes it may be apparent that existing arrangements are not reviewed as part of the business continuity management process. It can be possible (as an example) with a dual IT site, with some changes of equipment, software configurations and locations, as well as better resilience, a business continuity answer is also achieved. When reviewing maintenance contracts, also consider how long can the organisation wait for the repair before it needs to invoke business continuity or disaster recovery arrangements – and does that tie in with the business expectations of when services will be available again.

   
Don't re-invent documentation - if it already exists, reference it, store it in a common place (both electronically and physically) and ensure change management/version control procedures exist. It is all too easy to cut and paste from existing documents into business continuity plans – but that immediately creates the problem of two versions of the same words – and how do you maintain them? Any document should have version control – from simple (different numbers in filename; different date in footer) to using file management systems. Having documents stored in common directories (with controlled access) that are regularly copied offsite physically (or burnt to CD or mirrored to another server) still means that when disaster strikes, the relevant up-to-date documents that are needed to assist in the recovery will always be available.
   
Perceptions and assumptions need to be challenged, managed and documented. While there is nothing wrong with perceptions and assumptions, you need to be aware of them and how they will be handled. As part of the business continuity management process, perceptions need to be addressed by understanding what the real issues are and assumptions need to be answered and dealt with wherever possible and if not, then documented within the business continuity management process (probably the plans) as to what they are. At all stages, there needs to be management understanding and awareness.

   
KEEP IT AS SIMPLE AS POSSIBLE - if a business continuity management approach varies too much from standard day-to-day procedures, then when it comes down to that 2am call, it won't work. This especially applies when writing plans and a common error is to include tasks for a recovery process that are not actually part of that process, or department’s normal working approach. Identify who would deal with that particular item in normal working, and ensure that it is part of their plan. There can still be a reference to that item in the recovery plan, but not as a specific action, but a confirmation the action is, or has, been taken.
   
Document, exercise, review, amend and keep at it! Business continuity management is a living, ongoing process that will only be as good as the last time it was reviewed and exercised. At least once a year the plans should be tested, but this depends on the size and geographical locations for an organisation. One site only may warrant a test once a year, but as an example, one client with several sites around the UK, are exercising one site’s business continuity plans along with IT disaster recovery every month – but they have built up to this over a number of years! Start simple with desktop walkthroughs, telephone cascade checks and build up to combined exercises, and if you feel brave enough, unannounced full recoveries!
n